- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 17 Jun 2009 23:46:58 +0000 (UTC)
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Wed, 17 Jun 2009, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <ian@hixie.ch> wrote: > > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > > >> > > > > > >> If it does transmit any of these currently, are there any > > > > > >> objections to revising the spec so that it doesn't? > > > > > > > > Why? > > > > > > So that the containing page can use such a credential removing > > > service to allow sanitized content within the page to make requests > > > -- either to its own or to other origins -- while preventing this > > > content from "speaking for" the containing page or the user. > > > > The contained page already can't speak on behalf of the containing > > page -- that's what removing the Origin (and setting Origin to 'null') > > prevents. > > "or the user." But... we want the page talking on behalf of the user. That's the point of a browser. I don't really understand what we're trying to prevent here. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:47:31 UTC